admin/lx-admin-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

!305 fix 修复用户相关更新操作会越权的问题

Browse Source 
Merge pull request !305 from 丶Stone/5.X
This commit is contained in:
疯狂的狮子Li 2023-03-10 14:17:25 +00:00 committed by Gitee
commit 69edf436da
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
5 changed files with 84 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysProfileController.java
View File

@ -83,7 +83,6 @@ public class SysProfileController extends BaseController {
@PutMapping("/updatePwd") @PutMapping("/updatePwd")
public R<Void> updatePwd(String oldPassword, String newPassword) { public R<Void> updatePwd(String oldPassword, String newPassword) {
SysUserVo user = userService.selectUserById(LoginHelper.getUserId()); SysUserVo user = userService.selectUserById(LoginHelper.getUserId());
String userName = user.getUserName();
String password = user.getPassword(); String password = user.getPassword();
if (!BCrypt.checkpw(oldPassword, password)) { if (!BCrypt.checkpw(oldPassword, password)) {
return R.fail("修改密码失败,旧密码错误"); return R.fail("修改密码失败,旧密码错误");
@ -92,7 +91,7 @@ public class SysProfileController extends BaseController {
return R.fail("新密码不能与旧密码相同"); return R.fail("新密码不能与旧密码相同");
} }
if (userService.resetUserPwd(userName, BCrypt.hashpw(newPassword)) > 0) { if (userService.resetUserPwd(user.getUserId(), BCrypt.hashpw(newPassword)) > 0) {
return R.ok(); return R.ok();
} }
return R.fail("修改密码异常,请联系管理员"); return R.fail("修改密码异常,请联系管理员");
@ -113,7 +112,7 @@ public class SysProfileController extends BaseController {
} }
SysOssVo oss = sysOssService.upload(avatarfile); SysOssVo oss = sysOssService.upload(avatarfile);
String avatar = oss.getUrl(); String avatar = oss.getUrl();
if (userService.updateUserAvatar(LoginHelper.getUsername(), oss.getOssId())) { if (userService.updateUserAvatar(LoginHelper.getUserId(), oss.getOssId())) {
AvatarVo avatarVo = new AvatarVo(); AvatarVo avatarVo = new AvatarVo();
avatarVo.setImgUrl(avatar); avatarVo.setImgUrl(avatar);
return R.ok(avatarVo); return R.ok(avatarVo);

2
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/controller/system/SysUserController.java
View File

@ -182,7 +182,7 @@ public class SysUserController extends BaseController {
userService.checkUserAllowed(user); userService.checkUserAllowed(user);
userService.checkUserDataScope(user.getUserId()); userService.checkUserDataScope(user.getUserId());
user.setPassword(BCrypt.hashpw(user.getPassword())); user.setPassword(BCrypt.hashpw(user.getPassword()));
return toAjax(userService.resetPwd(user)); return toAjax(userService.resetUserPwd(user.getUserId(),user.getPassword()));
} }
/** /**

14
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/mapper/SysUserMapper.java
View File

@ -106,4 +106,18 @@ public interface SysUserMapper extends BaseMapperPlus<SysUserMapper, SysUser, Sy
*/ */
SysUserVo selectUserById(Long userId); SysUserVo selectUserById(Long userId);
@Override
@DataPermission({
@DataColumn(key = "deptName", value = "dept_id"),
@DataColumn(key = "userName", value = "user_id")
})
int update(@Param(Constants.ENTITY) SysUser user,@Param(Constants.WRAPPER) Wrapper<SysUser> updateWrapper);
@Override
@DataPermission({
@DataColumn(key = "deptName", value = "dept_id"),
@DataColumn(key = "userName", value = "user_id")
})
int updateById(@Param(Constants.ENTITY) SysUser user);
} }

16
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/ISysUserService.java
View File

@ -170,28 +170,20 @@ public interface ISysUserService {
/** /**
* 修改用户头像 * 修改用户头像
* *
* @param userName 用户名 * @param userId 用户ID
* @param avatar 头像地址 * @param avatar 头像地址
* @return 结果 * @return 结果
*/ */
boolean updateUserAvatar(String userName, Long avatar); boolean updateUserAvatar(Long userId, Long avatar);
/** /**
* 重置用户密码 * 重置用户密码
* *
* @param user 用户信息 * @param userId 用户ID
* @return 结果
*/
int resetPwd(SysUserBo user);
/**
* 重置用户密码
*
* @param userName 用户名
* @param password 密码 * @param password 密码
* @return 结果 * @return 结果
*/ */
int resetUserPwd(String userName, String password); int resetUserPwd(Long userId, String password);
/** /**
* 通过用户ID删除用户 * 通过用户ID删除用户

90
ruoyi-modules/ruoyi-system/src/main/java/com/ruoyi/system/service/impl/SysUserServiceImpl.java
View File

@ -36,8 +36,10 @@ import org.springframework.cache.annotation.Cacheable;
import org.springframework.stereotype.Service; import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional; import org.springframework.transaction.annotation.Transactional;
import java.util.Arrays;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.stream.Collectors;
/** /**
* 用户 业务层处理 * 用户 业务层处理
@ -317,7 +319,12 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
// 新增用户与岗位管理 // 新增用户与岗位管理
insertUserPost(user); insertUserPost(user);
SysUser sysUser = MapstructUtils.convert(user, SysUser.class); SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
return baseMapper.updateById(sysUser); //防止错误更新后导致的数据误删除
int flag = baseMapper.updateById(sysUser);
if (flag <= 0){
throw new ServiceException("修改用户"+user.getUserName()+"信息失败");
}
return flag;
} }
/** /**
@ -342,8 +349,10 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
*/ */
@Override @Override
public int updateUserStatus(SysUserBo user) { public int updateUserStatus(SysUserBo user) {
SysUser sysUser = MapstructUtils.convert(user, SysUser.class); return baseMapper.update(null,
return baseMapper.updateById(sysUser); new LambdaUpdateWrapper<SysUser>()
.set(SysUser::getStatus, user.getStatus())
.eq(SysUser::getUserId, user.getUserId()));
} }
/** /**
@ -354,50 +363,43 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
*/ */
@Override @Override
public int updateUserProfile(SysUserBo user) { public int updateUserProfile(SysUserBo user) {
SysUser sysUser = MapstructUtils.convert(user, SysUser.class); return baseMapper.update(null,
return baseMapper.updateById(sysUser); new LambdaUpdateWrapper<SysUser>()
.set(ObjectUtil.isNotNull(user.getNickName()), SysUser::getNickName, user.getNickName())
.set(SysUser::getPhonenumber, user.getPhonenumber())
.set(SysUser::getEmail, user.getEmail())
.set(SysUser::getSex, user.getSex())
.eq(SysUser::getUserId, user.getUserId()));
} }
/** /**
* 修改用户头像 * 修改用户头像
* *
* @param userName 用户名 * @param userId 用户ID
* @param avatar 头像地址 * @param avatar 头像地址
* @return 结果 * @return 结果
*/ */
@Override @Override
public boolean updateUserAvatar(String userName, Long avatar) { public boolean updateUserAvatar(Long userId, Long avatar) {
return baseMapper.update(null, return baseMapper.update(null,
new LambdaUpdateWrapper<SysUser>() new LambdaUpdateWrapper<SysUser>()
.set(SysUser::getAvatar, avatar) .set(SysUser::getAvatar, avatar)
.eq(SysUser::getUserName, userName)) > 0; .eq(SysUser::getUserId, userId)) > 0;
} }
/** /**
* 重置用户密码 * 重置用户密码
* *
* @param user 用户信息 * @param userId 用户ID
* @return 结果
*/
@Override
public int resetPwd(SysUserBo user) {
SysUser sysUser = MapstructUtils.convert(user, SysUser.class);
return baseMapper.updateById(sysUser);
}
/**
* 重置用户密码
*
* @param userName 用户名
* @param password 密码 * @param password 密码
* @return 结果 * @return 结果
*/ */
@Override @Override
public int resetUserPwd(String userName, String password) { public int resetUserPwd(Long userId, String password) {
return baseMapper.update(null, return baseMapper.update(null,
new LambdaUpdateWrapper<SysUser>() new LambdaUpdateWrapper<SysUser>()
.set(SysUser::getPassword, password) .set(SysUser::getPassword, password)
.eq(SysUser::getUserName, userName)); .eq(SysUser::getUserId, userId));
} }
/** /**
@ -417,8 +419,20 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
public void insertUserPost(SysUserBo user) { public void insertUserPost(SysUserBo user) {
Long[] posts = user.getPostIds(); Long[] posts = user.getPostIds();
if (ArrayUtil.isNotEmpty(posts)) { if (ArrayUtil.isNotEmpty(posts)) {
//判断是否具有此角色的岗位权限
List<Long> postList = postMapper.selectPostListByUserId(LoginHelper.getUserId());
if (postList.isEmpty()){
throw new ServiceException("您不具有操作岗位的权限");
}
List<Long> postIdList = Arrays.asList(posts);
List<Long> canDoPostList = postIdList.stream()
.filter(postList::contains)
.collect(Collectors.toList());
if (canDoPostList.isEmpty()){
throw new ServiceException("您不具有操作当前岗位的权限");
}
// 新增用户与岗位管理 // 新增用户与岗位管理
List<SysUserPost> list = StreamUtils.toList(List.of(posts), postId -> { List<SysUserPost> list = StreamUtils.toList(canDoPostList, postId -> {
SysUserPost up = new SysUserPost(); SysUserPost up = new SysUserPost();
up.setUserId(user.getUserId()); up.setUserId(user.getUserId());
up.setPostId(postId); up.setPostId(postId);
@ -436,8 +450,20 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
*/ */
public void insertUserRole(Long userId, Long[] roleIds) { public void insertUserRole(Long userId, Long[] roleIds) {
if (ArrayUtil.isNotEmpty(roleIds)) { if (ArrayUtil.isNotEmpty(roleIds)) {
//判断是否具有此角色的操作权限
List<Long> roleList = roleMapper.selectRoleListByUserId(LoginHelper.getUserId());
if (roleList.isEmpty()){
throw new ServiceException("您不具有操作角色的权限");
}
List<Long> roleIdList = Arrays.asList(roleIds);
List<Long> canDoRoleList = roleIdList.stream()
.filter(roleList::contains)
.collect(Collectors.toList());
if (canDoRoleList.isEmpty()){
throw new ServiceException("您不具有操作当前角色的权限");
}
// 新增用户与角色管理 // 新增用户与角色管理
List<SysUserRole> list = StreamUtils.toList(List.of(roleIds), roleId -> { List<SysUserRole> list = StreamUtils.toList(canDoRoleList, roleId -> {
SysUserRole ur = new SysUserRole(); SysUserRole ur = new SysUserRole();
ur.setUserId(userId); ur.setUserId(userId);
ur.setRoleId(roleId); ur.setRoleId(roleId);
@ -460,7 +486,12 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().eq(SysUserRole::getUserId, userId)); userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().eq(SysUserRole::getUserId, userId));
// 删除用户与岗位表 // 删除用户与岗位表
userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().eq(SysUserPost::getUserId, userId)); userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().eq(SysUserPost::getUserId, userId));
return baseMapper.deleteById(userId); // 防止更新失败导致的数据删除
int flag = baseMapper.deleteById(userId);
if (flag <= 0){
throw new ServiceException("删除用户发生异常");
}
return flag;
} }
/** /**
@ -481,7 +512,12 @@ public class SysUserServiceImpl implements ISysUserService, UserService {
userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().in(SysUserRole::getUserId, ids)); userRoleMapper.delete(new LambdaQueryWrapper<SysUserRole>().in(SysUserRole::getUserId, ids));
// 删除用户与岗位表 // 删除用户与岗位表
userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().in(SysUserPost::getUserId, ids)); userPostMapper.delete(new LambdaQueryWrapper<SysUserPost>().in(SysUserPost::getUserId, ids));
return baseMapper.deleteBatchIds(ids); // 防止更新失败导致的数据删除
int flag = baseMapper.deleteBatchIds(ids);
if (flag <= 0){
throw new ServiceException("删除用户发生异常");
}
return flag;
} }
@Cacheable(cacheNames = CacheNames.SYS_USER_NAME, key = "#userId") @Cacheable(cacheNames = CacheNames.SYS_USER_NAME, key = "#userId")